RE: /sumthin Revisited

• Previous message: Sverre H. Huseby: "Re: /sumthin Revisited"
• In reply to: Sverre H. Huseby: "Re: /sumthin Revisited"
• Next in thread: Jonathan A. Zdziarski: "RE: /sumthin Revisited"
• Next in thread: Sverre H. Huseby: "Re: /sumthin Revisited"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well whatever it is, it is obviously only interested in the web server
itself and not individual websites; this is evident by the HTTP/1.0
header, which will always reference the default documents on the system,
and not a virtual host.

I've been grepping through some scanners lately and haven't been able to
find 'sumthin' in any of them; so far checked nmap, webvulnscan, nikto,
and a few others.  The HTTP/1.0 tells me though that this tool is
designed to do what everyone has already come to for a conclusion; check
server version/module inforamtion.

> -----Original Message-----
> From: Sverre H. Huseby [mailto:shhat_private] 
> Sent: Tuesday, January 07, 2003 4:32 PM
> To: Chris Norris
> Cc: incidentsat_private; Noam Eppel
> Subject: Re: /sumthin Revisited
> 
> 
> [Chris Norris]
> 
> |   Maybe it's a port 80 scanner that captures banner info. Issuing
> |   GET /sumthin would 99.99% produce a 404 and some server info which
> |   could be added to a database.
> 
> Yes, but you could just as well have obtained the info using 
> "HEAD /", which wouldn't show up in the error_log.
> 
> The "GET /sumthin" is the fingerprint of something.  A worm, 
> a scanner or something (sumthin) completely harmless.  I 
> think Noam's goal is to find out what this fingerprint 
> matches.  And I'm quite curious myself, as I see it coming 
> from many different IP addresses, and only for my 
> SSL/TLS-enabled domain.
> 
> 
> Sverre.
> 
> -- 
> shhat_private		Computer Geek?  Try my Nerd Quiz
> http://shh.thathost.com/	http://nerdquiz.thathost.com/
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer 
> service. For more information on this free incident handling, 
> management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Jonathan A. Zdziarski: "RE: /sumthin Revisited"
• Previous message: Sverre H. Huseby: "Re: /sumthin Revisited"
• In reply to: Sverre H. Huseby: "Re: /sumthin Revisited"
• Next in thread: Jonathan A. Zdziarski: "RE: /sumthin Revisited"
• Next in thread: Sverre H. Huseby: "Re: /sumthin Revisited"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 15:33:34 PST